The listing of claims will replace all prior versions, and listings, of claims in the appUcation: 



Listing of Claims: 

1 . (Currently Amended) A method for monitoring a database , the database being managed 
by a database server , comprising: 

collecting submitting a first sot of one or more database queries, to a database serv^er that 
manages the database, to retrieve , from the database server that manages the 
database, data sets maintained permanently by the database server and comprising 
user behavior data that indicates a first set of behavior one or more actions 
performed, by one or more users , as a result of the one or more users executing a 
first set of database statements against relative to the databas e, wherein the 
collecting includes reading, from the database server, the data sets comprising 
user behavior data : 

processing and storing one or more sets of user behavior data as historical data, said one 
or more sets of user behavior data including said user behavior data that was 

retrieved from the database seiver in response to the first set of one or more 
database queries being executed against the database indicates the first set of 
behavior by the one or more users relative to the database : 
analyzing the historical data to determine behavior patterns; 

receiving submitting a second set of one or more database queries, to the database server, 
to retrieve , from the database server that manages the database , data sets 
maintained permanently by the database server and comprising a new set of user 
behavior data that indicates a second set of one or more actions performed, 
behavior by the one or more users , as a result of the one or more users executing a 
second set of database statements against relative to the database , the receiving 
includes reading, from the database server, the data sets comprising the new set of 
user behavior data : 

performing a comparison between based on the new set of user behavior data and the 

determined behavior patterns; 
determining, based on the comparison, whether the new set of user behavior data satisfies 

a set of criteria; 

if the new set of user behavior data satisfies the set of criteria, then determining that the 
new set of user behavior data represents anomalous activity; and 
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responding to the determination by performing a targeted operation. 



2. (Currently Amended) The method of claim 1, further comprising: 
determining if the new set of user behavior data violates a rule based policy; and 

if the new set of user behavior data violates the rule based policy, then determining that 
the new set of user behavior data represents anomalous activity. 

3. (Currently Amended) The method of claim 2, wherein collecting user behavior data 
submitting the first set of one or more database queries to the database server further 

comprises: 

reading information from an audit trail or dynamic performance viows of a database 
manager. 

4. (Currently Amended) The method of claim 3, wherein collecting user behavior data 
submitting the first set of one or more database queries to the database server further 
comprises collecting the user behavior data from submitting the first set of one or more 
database queries to the database server at a monitoring level selected from at least one of: 
information about database access for one or more selected database objects; 
information about database access for one or more selected database users; and 
information about database access for one or more selected database user sessions. 

5. (Currently Amended) The method of claim 3, wherein collecting user behavior data 
submitting the first set of one or more database queries to the database server further 
comprises: 

receiving a type of information to be monitored; 
determining a monitoring level from the type of information; and 
activating audit options of the database manager based upon the monitoring level 
determined. 

6. (Original) The method of claim 2, wherein analyzing the historical data to determine 
behavior pattems further comprises: 

determining a statistical model from the historical data. 
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7. (Original) The method of claim 6, wherein determining a statistical model from the 
historical data further comprises: 

determining a frequency of database access from the historical data; 
determining a probability function for frequencies of database access; and 
determining a cumulative probability function from the probability function. 

8. (Previously Presented) The method of claim 7, wherein performing a comparison 
between the new set of data and the determined behavior pattems further comprises: 
testing a hypothesis using the new set of data against the statistical model. 

9. (Original) The method of claim 8, wherein testing a hypothesis using the new set of data 
against the statistical model further comprises: 

determining a frequency of database access for the new set of data; and 
determining the threshold value from a guard criteria and a probability function 
parameter. 

10. (Original) The method of claim 9, wherein testing a hypothesis using the new set of data 
against the statistical model pattem further comprises: 

comparing the frequency of database access for the new set of data with the threshold 
value. 



11. (Original) The method of claim 7, wherein the historical information is about database 

access for one or more selected database objects and wherein determining a frequency of 
database access from the historical data further comprises determining a frequency of at 
least one of: 

object access frequency by hour of day, object access frequency by hour of day and 

operating system user, object access frequency by hour of day and database user, 
object access frequency by hour of day and location, object access frequency by 
hour of day and combination of at least two of operating system user, database 
user and location. 



12. (Original) The method of claim 7, wherein the historical information is about database 
access for one or more selected database users and wherein determining a frequency of 
database access from the historical data further comprises determining a frequency of at 
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least one of: 

user access frequency by hour of day, user access frequency by hour of day and operating 
system user, user access frequency by hour of day and database user, user access 
frequency by hour of day and location, user access frequency by hour of day and a 
combination of at least two of operating system user, database user, and location. 

13. (Original) The method of claim 7, wherein the historical information is about database 
access for one or more selected database user sessions and wherein determining a 
frequency of database access from the historical data further comprises determining a 

frequency of at least one of: 

number of page reads per session, access duration per session, number of page reads per 



14. (Original) The method of claim 1, wherein performing a targeted operation comprises at 
least one of: raising an alert; sending an email; producing a report; performing a 
visualization. 

15. (Currently Amended) A computer-readable storage medium carrying one or more 
sequences of instructions for reverting to a recovery configuration in response to device 
faults, which instructions, when executed by one or more processors, cause the one or 
more processors to carry out the steps of: 

collecting submitting a first set of one or more database queries, to a database server that 
manages the database, to rotrieve , from ^le a database server that manages a 
database , data sets maintained permanently by the database server and comprising 
user behavior data that indicates a first set of behavior one or more actions 



first set of database statements against relative to the databas e, wherein the 
collecting includes reading, from the database server, the data sets comprising 
user behavior data : 

processing and storing one or more sets of user behavior data as historical data, said one 
or more sets of user behavior data including said user behavior data that was 
retrieved from the database serv^er in response to the first set of one or more 
database queries being executed against the database indicates the first set of 
behavior by the one or more users relative to the database : 



unit time. 




■by one or more users, as a result of the one or more users executing a 
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analyzing the historical data to determine behavior patterns; 

receiving submitting a Gecond set of one or more databaoe queries, to the database server, 
to retrieve , from the database server that manages the database , data sets 
maintained permanentlv bv the database server and comprising a new set of user 
behavior data that indicates a second set of one or more actions performed, 
behavior by the one or more users , as a result of the one or more users executing a 
second sot of database statomonts against relative to the database , the receiving 
includes reading, from the database server, the data sets comprising the new set of 
user behavior data : 

performing a comparison between based on the new set of user behavior data and the 

determined behavior patterns; 
determining based on the comparison, whether the new set of user behavior data satisfies 

a set of criteria; 

if the new set of user behavior data satisfies the set of criteria, then determining that the 

new set of user behavior data represents anomalous activity; and 
responding to the determination by performing a targeted operation. 

16. (Currently Amended) The computer-readable storage medium of claim 15, further 
comprising instructions which, when executed by the one or more processors, cause the 
one or more processors to carry out the steps of: 

determining if the new set of user behavior data violates a rule based policy; and 
if the new set of user behavior data violates the rule based policy, then determining that 
the new set of user behavior data represents anomalous activity. 

17. (Currently Amended) The computer-readable storage medium of claim 16, wherein the 
instructions for carrying out the step of collecting user behavior data submitting the first 
set of one or more database queries to the database server further comprise instructions 
for carrying out the step of: 

reading information from an audit trail of the database manager. 

18. (Currently Amended) The computer-readable storage medium of claim 17, wherein the 
instructions for carrying out the step of submitting the first set of one or more database 
queries to the database ser\^er collecting user behavior data further comprise instructions 
for carrying out the step of submitting the first set of one or more database queries to the 
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database server collecting user behavior data at a monitoring level selected from at least 
one of: 

information about database access for one or more selected database objects; 
information about database access for one or more selected database users; and 
information about database access for one or more selected database user sessions. 

19. (Currently Amended) The computer-readable storage medium of claim 17, wherein the 
instructions for carrying out the step of submitting the first set of one or more database 
queries to the database serv^er collecting user behavior data further comprise instructions 
for carrying out the steps of: 

receiving a type of information to be monitored; 
determining a monitoring level from the type of infoiination; and 
activating audit options of the database manager based upon the monitoring level 
determined. 

20. (Previously Presented) The computer-readable storage medium of claim 16, wherein the 
instructions for carrying out the step of analyzing the historical data to determine 
behavior pattems further comprise instructions for carrying out the step of: 
determining a statistical model from the historical data. 

21. (Previously Presented) The computer-readable storage medium of claim 20, wherein the 
instructions for carrying out the step of determining a statistical model from the historical 
data further comprise instructions for carrying out the step of: 

determining a frequency of database access from the historical data; 
determining a probability function for frequencies of database access; and 
determining a cumulative probability function from the probability function. 

22. (Previously Presented) The computer-readable storage medium of claim 21, wherein the 
instructions for carrying out the step of performing a comparison between the new set of 
data and the determined behavior pattems further comprise instructions for carrying out 
the step of: 

testing a hypothesis using the new set of data against the statistical model. 

23. (Previously Presented) The computer-readable storage medium of claim 22, wherein the 
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instructions for carrying out the step of testing a hypothesis using the new set of data 
against the statistical model further comprise instructions for carrying out the steps of: 
determining a frequency of database access for the new set of data; and 
determining the threshold value from a guard criteria and a probability function 
parameter. 

24. (Previously Presented) The computer-readable storage medium of claim 23, wherein the 
instructions for carrying out the step of testing a hypothesis using the new set of data 
against the statistical model further comprise instructions for carrying out the step of: 
comparing the frequency of database access for the new set of data with the threshold 

value. 

25. (Previously Presented) The computer-readable storage medium of claim 21, wherein the 
historical information is about database access for one or more selected database objects 
and wherein the instructions for carrying out the step of determining a frequency of 
database access from the historical data further comprise instructions for carrying out the 
step of determining a frequency of at least one of: 

object access frequency by hour of day, object access frequency by hour of day and 

operating system user, object access frequency by hour of day and database user, 
object access frequency by hour of day and location and object access frequency 
by hour of day and a combination of at least two of operating system user, 
database user and location. 

26. (Previously Presented) The computer readable storage medium of claim 21, wherein the 
historical information is about database access for one or more selected database users 
and wherein the instructions for carrying out the step of determining a frequency of 
database access from the historical data further comprise instructions for carrying out the 
step of determining a frequency of at least one of: 

user access frequency by hour of day, user access frequency by hour of day and operating 
system user, user access frequency by hour of day and database user, user access 
frequency by hour of day and location and user access frequency by hour of day 
and a combination of at least two of operating system user, database user, and 
location. 
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27. (Previously Presented) The computer readable storage medium of claim 21, wherein the 
historical information is about database access for one or more selected database user 
sessions and wherein the instructions for carrying out the step of determining a frequency 
of database access from the historical data further comprise instructions for carrying out 
the step of determining a frequency of at least one of: 

number of page reads per session, access duration per session, number of page reads per 
unit time. 

28. (Previously Presented) The computer readable storage medium of claim 15, wherein the 
instmctions for carrying out the step of performing a targeted operation comprises 
comprise instmctions for carrying out at least one of: raising an alert; sending an email; 
producing a report; performing a visualization. 

29. (Currently Amended) An apparatus, comprising: 

means for collecting submitting a first set of one or more database queries, to a database 
server that manages the database, to retrieve , from fee a database server that 
manages a database , data sets maintained permanentlv bv the database server and 
comprising user behavior data that indicates a first set of behavior one or more 
actions performed, b y one or more users , as a result of the one or more users 
executing a first set of database statements against relative to the database^ 
wherein the collecting includes reading, from the database server, the data sets 
comprising user behavior ; 

means for processing and storing one or more sets of user behavior data as historical data, 
said one or more sets of user behavior data including said user behavior data that 
was retrieved from the database ser\^er in response to the first set of one or more 
database queries being executed against the database indicates the first set of 
behavior bv the one or more users relative to the database : 

means for analyzing the historical data to determine behavior patterns; 

means for receiving submitting a second set of one or more database queries, to the 

database server, to retrieve , from the database server that manages the database , 
data sets maintained permanentlv by the database server and comprising a new set 
of user behavior data that indicates a second set of one or more actions performed, 
behavior by the one or more users , as a result of the one or more users executing a 
second set of database statements relative to against the database , the means for 
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receiving including means for reading, from the database server, the data sets 

comprising the new set of user behavior data : 
means for performing a comparison between based on the new set of user behavior data 

and the determined behavior patterns; 
means for determining based on the comparison, whether the new set of user behavior 

data satisfies a set of criteria; 
means for determining that the new set of user behavior data represents anomalous 

activity, if the new set of user behavior data satisfies the set of criteria; and 
means for responding to the determination by performing a targeted operation. 

30. (Currently Amended) An apparatus, comprising: 

a data collector for (a) collectin g, from a database server that manages a database, data 

sets maintained permanentlv by the database server and comprising user behavior 
data that indicates a first set of behavior one or more actions performed , by one or 
more users , as a result of the one or more users executing a first set of database 
statements against relative to the database, wherein the collecting includes 
reading, from the database server, the data sets comprising user behavior data, (b) 
processing and storing the one or more sets of user behavior data as historical 
data, said one or more sets of user behavior data including said user behavior data 
that was retrieved from the database server in response to the first set of one or 
more database queries being executed against the database indicates the first set of 
behavior by the one or more users relative to the database , and (c) receiving 
submitting a aecond sot of one or more database quQrioa, to tho database ^on er, to 
retrieve , from the database server that manages the database , data sets maintained 
permanently by the database server and comprising a new set of user behavior 
data that indicates a second set of one or more actions performed, behavior b y the 
one or more users , as a result of the one or more users executing a second set of 
database statements against relative to the databas e, the receiving including 
reading, from the database server, the data sets comprising the new set of user 
behavior data : 

a data analyzer for analyzing the historical data to determine behavior pattems; and 
an anomaly detector for (a) performing a comparison between based on the new set of 
user behavior data and the determined behavior pattems, (b) determining, based 
on the comparison, whether the new set of user behavior data satisfies a set of 
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criteria, (c) determining that the new set of user behavior data represents 
anomalous activity if the new set of user behavior data satisfies the set of criteria, 
and (d) responding to the determination by performing a targeted operation. 



31. (New) The method of claim 3, wherein collecting user behavior data_further comprises: 
reading information from dynamic performance views of a database manager. 

32. (New) The computer-readable storage medium of claim 17, wherein collecting user 
behavior data_further comprises: 

reading information from dynamic performance views of a database manager. 

33. (New) The method of claim 1, wherein the data sets maintained permanently by the 
database server include audit trails. 

34. (New) The computer-readable storage medium of claim 15, wherein the data sets 
maintained permanently by the database server include audit trails. 
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